10.08.2017

Insecure venture

On the price of hacker attacks and the toxic cyber environment
Ruslan Yusufov
Director for Private Clients, Group-IB
Do you want me to increase the capitalization of your business by 1.8-15% for free and without sms? Sit back and let's talk about hackers and cyber threats.
Here are two completely different companies in terms of their revenues, size and business profile: the tech giant Yahoo! and the French construction company Vinci. They have one common feature: they were both hit by hackers. Cyber criminals stole the personal data of more than 1 billion Yahoo! service users and falsified news about Vinci's financial performance.

As a result, Yahoo! sold its web assets to Verizon $350 million cheaper than had been planned (moreover, the companies agreed to share all the future legal fees connected with the leak), and Vinci shares slumped 18%. And if big companies are hit that hard, promising new startups may be completely destroyed by hacker attacks.

In 14 years of cyber-crime investigation, we, Group-IB, have learned it like a mantra: most cyber attacks have financial motives. Hackers want to steal money from bank accounts or snatch information to sell on the black market. Criminals yearn to gain access to correspondence or other important data to extort money for non-disclosure. Finally, they will be glad to take your files or even your whole business hostage by blocking all information needed for work and demanding a ransom for that (for example, that is what happened during the recent WannaCry outbreak).
The screen of a computer blocked by WannaCry
Most often, the damage caused by cyber attacks far surpasses the financial advantages gained by the cyber criminals. Imagine that a manufacturing plant's computer systems are infected with a cryptoworm. In such cases, we recommend not paying the ransom, since there are no guarantees of information recovery (the people you interact with are criminals!) and, moreover, it will stimulate more criminal activity of that type. But, for purposes of our case, let's assume the plant management decided to pay the ransom – $300 for each of the infected computers with the most important data.

To save money, the head of the IT department proposes uninstalling all noncritical systems and installing everything anew. Consequently, expenditures to redeem the information stored in accounting department computers, as well as on mail servers and in backup systems, amounted to only several thousand dollars – if we speak only of the benefit to the cyber criminals.
But the business suffered additional losses from remedial measures:
1
System reinstallation
It was decided to reinstall the systems on users' computers, resulting in the loss of most working documents. Even though the management had tried to introduce a rule to store all the important files on shared drives, users still saved lots of folders on their desktops.
2
Down time
The plant itself actually stopped working for several days. Knowledge the production volumes, it's easy to calculate the loss of profit – new goods were not manufactured and old ones were not sold.
3
Disruption of supplies
During the down time, the plant did not meet its obligations: trading partners did not receive their supplies in on time and had a right to demand late fees and apply penalties.
4
Losses
We shouldn't forget that the business continued to pay salaries to dozens of people who were not able to create added value.
5
Contingencies
In some cases, the damage caused by cyber attacks is accompanied by expenses for forensic investigation and consultation with external experts, lawyers and advisers.
In this case, we had a business that was mainly represented offline and used the Internet only for communication and payments. Now imagine the cost of down time for a business represented only on the web:


  • an online business will suffer losses from advertisements that are ineffective during a hacker attack
  • an online shop will not be able to sell goods and it may result not only in the loss of profit, but also in cash deficiencies
  • for some services connected with access to users' personal data, such an attack may imply the end of the business
After the Panama Scandal and the leaking of information about thousands of offshore companies, the whole world came to know about Mossack Fonseca. But do they have any more clients now? Most likely, they will lose their users. The hacked data storage system is a blot on their reputation – no one would store their files in a 'leaky' cloud. Stealing money from a bank's correspondent account (or massive hacking of client accounts) and the resulting publicity may result in customer outflow and in lots of questions from regulators.
Perhaps the potential damage caused by cyber attacks is underestimated most of all by venture capital funds, especially those investing in hi-tech startups (immersed in the web) or financial startups (immersed in the finance). Investors' money is usually invested in business development, testing business models, acquisition of customers and employees and other areas that are often a far cry from security issues. We cannot blame founders for wanting to earn money for their investors and not wanting 'extra' expenditures. In my observation, security is definitely not the top priority for most startups. And that's wrong.

Researchers from Oxford Economics found that public companies irrevocably lose an average of 1.8% of their value as a result of cyber attacks. For the 100 companies with the highest market capitalization on the London Stock Exchange (FTSE 100), 1.8% is £120 million! And that's the average, because, in some cases, the damage may amount to 15%. But according to one survey, 87% of people working for such companies, to their credit, call cyber attacks a key risks for their organizations. The second emerging trend is the more noticeable negative impact of cyber attacks on stock prices as compared to the past.
Investors – whether venture capital funds or business angels – that invest their time and money in an asset are interested in growth of the company's value. Of course, shareholders prefer not to intervene heavily in business development and they do not ask questions about security – this is done by the team of founders (at least with great presentation skills).

Being a provident investor, don't be afraid to ask about security, if you don't want to lose your assets tomorrow. Founders should be prepared: a generation of thoughtful investors is coming up and soon they'll be asking inconvenient questions. After that, one of key points in your elevator pitch will be "our security and the security of our users."

Venture investments are called that for a reason: they are based on risks, but the potential double-digit profit attracts many people, as does the long-shot chance of creating a new Facebook, Uber or Snapchat (or whatever people dream about nowadays). Thus, the high risk is justified by a high yield.

The cyber environment is highly insecure. Anyone who ever reads the business press understands that. Neglecting cyber threats today is a real crime against yourself and your business. On the other hand, such a business can also be called a venture – because if you turn a blind eye to cyber threats, the risks for your business will also grow!
In the end, there is a self-rated test.
Ask yourself two questions:
1
How much would it cost if all your IT systems broke down for at least a week?
2
How many cyber attacks has your company suffered in the last week?
If you know the answer to the second question, it will help you understand how it is possible to answer the first one (to tell the truth, a week-long breakdown of systems is getting off lightly in a cyber attack).

If you don't know the answer to the second question, but your business card says "CEO," write to us and we'll tell you everything for free (but get yourself a sedative).